I am always interested to see the dialogue on the listserv of the Information Security Committee (ISC) of the American Bar Association Section of Science & Technology Law. As a former Co-Chair of the ISC and Immediate Past Chair of the Section, I like to see people sharing ideas, tips, and useful documents, such as forms and checklists, that help people do their jobs. One of the recent posts on the ISC listserv recently caught my attention.
I would assume that almost all, if not all, of the Fortune 500 businesses have a sophisticated set of security-related documents to govern security practices, including a security policy and more detailed procedural documents. Nonetheless, mid-size businesses, and certainly small businesses, may have no security documentation at all. Accordingly, I was not surprised to see a recent post about a company that does not have a security policy. I am assuming that it is a small or mid-sized business.
The interesting thing about the post is not that the company has no security policy. I am assuming that many of the ISC members and legal community have urged their clients or customers to create and implement such documentation for many years. I recognize, however, that for whatever reason, many businesses simply have not created security documentation yet, despite the constant news stories about security breaches.
The post was interesting, because the company sought to respond to a request for proposal with a potential customer, and the RFP required responding parties to provide their security policies as part of the response. It is one thing for a company, as an internal decision, to postpone writing a security policy. It is another for a potential customer to demand it. Indeed, the rigor behind the policy may be one of the criteria on which the customer judges potential bidders. For that company without a security policy, creating a policy is not simply a matter of “doing the right thing,” “compliance,” or “good practice.” It’s a pocketbook issue.
Many of you may work for large corporations, and so it may not be much of a problem to provide a potential customer the high-level or public-facing security policy document. But for those of you in smaller organizations, now is the time to make sure you have your security policy ducks in a row. I do believe that what this company experienced will become more common.
Lawyers should also take note. When your clients seek to acquire a company or procure services, checking the information security policy should be part of your due diligence checklist. Lawyers representing potential acquisition targets and vendors should prepare their clients now for an inquiry about security policies from a potential acquiring company or customer. It is also increasingly common for the due diligence to have an information security assessment component. There are a host of issues that go into managing the negotiation of an assessment procedure, but that is a story that will have to await another article.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP